RHEA-2018:2385 and RHEA-2018:2531 rhel-system-roles bug fix and enhancement update

Updated -

The rhel-system-roles package includes a collection of Ansible roles and modules that provide a stable and consistent configuration interface for managing multiple versions of Red Hat Enterprise Linux. The rhel-system-roles package is available in the Red Hat Enterprise Linux 7 Extras channel.


With the RHEA-2018:2385 advisory, the network, timesync, kdump, and selinux roles of the rhel-system-roles package have received multiple bug fixes and significant enhancements to improve interface consistency, usability, and conformance to Ansible best practices.

Note that for the timesync, kdump, and selinux roles, the changes are not backward compatible and it is necessary to update playbooks that use them. In particular, all the variable names now follow the common convention with a <role>_ prefix and are all lower case for consistency.

Changes in the selinux role include:

  • The following variables have been renamed according to common conventions and to improve consistency with the selinux module:

    • SELinux_type to selinux_policy
    • SELinux_mode to selinux_state
    • SELinux_booleans to selinux_booleans
    • SELinux_file_contexts to selinux_file_contexts
    • SELinux_restore_dirs to selinux_restore_dirs
    • SELinux_ports to selinux_ports
    • SELinux_logins to selinux_logins
  • The selinux_change_running variable was removed without a functional change, as the role has been always changing the running state and the variable was effectively ignored.

  • Local modifications to file contexts, ports, logins, and booleans are no longer dropped by default. The modifications specified in selinux_booleans, selinux_file_contexts, selinux_ports and selinux_logins are applied on top of pre-existing modifications. To obtain the previous behavior, set the new variables selinux_booleans_purge, selinux_fcontexts_purge, selinux_ports_purge and selinux_logins_purge (or just selinux_all_purge) toTrue.

  • Dictionaries that are passed to the selinux_file_contexts variable now provide the new state option, which is set to present by default. Setting it to absent drops individual modifications to file contexts.

  • If the selinux_state or selinux_policy variables are not defined, the selinux role preserves previous values. Only if the SELinux policy is not defined on the system and SELinux is enabled by the role, selinux_policy defaults to targeted.

  • Behavior in cases when a reboot is needed to apply the settings has been redefined. The selinux role now fails with an explanatory error message and sets the selinux_reboot_required custom fact to True. The role never reboots the managed host itself. The error needs to be handled in the playbook by using the block directive, and after rebooting the system, the role needs to be applied again. An example is shown in the provided example-selinux-playbook.yml playbook.

Changes in the timesync role include:

  • The following variables have been renamed according to common conventions:

    • ntp_servers to timesync_ntp_servers
    • ptp_domains to timesync_ptp_domains
    • dhcp_ntp_servers to timesync_dhcp_ntp_servers
    • clock_step_threshold to timesync_step_threshold
    • min_time_sources to timesync_min_sources
  • The NTP implementation can be chosen by setting the timesync_ntp_provider variable to either ntp or chrony. The timesync role detects the current provider and does not change it unless timesync_ntp_provider is set. The role also sets the timesync_ntp_provider_os_default variable to a value that conforms to the default choice for the OS release. To set the provider consistently for all hosts running the same OS release, use the following code in the playbook:

     timesync_ntp_provider: "{{ timesync_ntp_provider_os_default }}"
  • The default provider was changed to ntp on all minor versions of the Red Hat Enterprise Linux 6 operating system for consistency. As noted above, the currently running provider will not be changed unless the timesync_ntp_provider variable is set.

Changes in the kdump role include:

  • The following variables have been renamed according to common conventions:

    • dump_target to kdump_target
    • path to kdump_path
    • core_collector to kdump_core_collector
    • system_action to kdump_system_action
    • ssh_dump_user to kdump_ssh_user
    • ssh_dump_server to kdump_ssh_server
    • sshkey to kdump_sshkey
  • The dump_target.kind option has been renamed to kdump_target.type.

Changes in the network role include:

  • MAC VLAN support has been added.

  • A bug which did not allow to disable autoconnect with the initscripts provider has been fixed.

  • A bug where the role failed during bridge configuration with the initscripts provider has been fixed.

  • The network role now allows to set the connection state to down regardless of whether it is defined in the configuration.

  • If the interface_name and mac options are not given, the value of the name option is used for interface_name. Setting interface_name to an empty string ("") specifies that the profile is not restricted to a network interface.

  • The network role now detects the provider if the network_provider variable is not given. When NetworkManager is running, the provider is set to nm, otherwise to initscripts. The role sets the network_provider_os_default variable based on the OS version.


With the RHEA-2018:2531 advisory, the network role has been updated to better represent the state of the network connections. The former state setting was split into two settings:

  • state, which represents the runtime state and accepts the values up and down
  • persistent_state, which represents the on-disk saved state of the connection profile and accepts the values present and absent
    Setting persistent_state to absent ensures that the profile does not exist, if it exists, it will be deleted.

A compatibility layer ensures that all the values for state as defined previously are still accepted. However, it is recommended to update the playbooks to use the new syntax because the old one is deprecated.